Hi, Guys,
I am using Fortigate 600E HA-pair with FortiOS v6.44.
Based on the following articles, I set up the management-IP:
1. Fortigate Management Interface in HA Mode – UNIX fu
2. FortiGate HA Cluster Management IP - In Band Method v6 - (fullradius.com)
I can find the HA virtual mac add of the mgmt-IP interface (10.101.1.38 ), but can not find the physical mac addr of primary/secondary Fortigate device (10.101.2.37 ?); so that:
1. I can Pingtest to the mgmt IP (10.101.1.38), and management-IP (10.101.2.37) inside the Fortigate device
2. I can not pingtest to management-IP (10101.2.37) from outside ( out of the fortigate device, even within same subnet )
Noted: I can pingtest to outside world (WAN and LAN ) within the fortigate device
======my configuration==============
Mgmt interface configuration in primary Forti600e01 (CLI mode :(
Forti600E_01 # sh sys int mgmt config system interface edit "mgmt" set vdom "root" set management-ip 10.101.2.37 255.255.255.0 set allowaccess ping https ssh snmp set type physical set device-identification enable set lldp-reception disable set lldp-transmission disable set role lan set snmp-index 2 next end
Forti600E_01 # show sys int "HA_mgmt_Port" config system interface edit "HA_mgmt_Port" set vdom "root" set ip 10.101.1.38 255.255.255.0 set allowaccess ping https ssh snmp set role lan set snmp-index 27 set interface "mgmt" set vlanid 11 next end
Forti600E_01 # sh sys ha config system ha set group-id 1 set group-name "HA" set mode a-a set password 0000 set hbdev "ha" 299 "port1" 100 set override disable set priority 150 end
==========
Please advice.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is our 1000D's mgmt1 (mutil-vdom env so under global) in HA. You're probably looking for the "Current_HWaddr".
xxx-fg1 (global) # diag hard device nic mgmt1 Driver_Name e1000e Driver_Version 3.2.4.2-NAPI MAC_Type 3 IRQ 17 System_Device_Name mgmt1 Current_HWaddr e8:1c:ba:6d:e5:9a Permanent_HWaddr e8:1c:ba:6d:e5:9a ---<snip>---
To add, I would do a diag sniffer packet mgmt "arp or icmp" and see what reports when you do your testing.
Ken Felix
PCNSE
NSE
StrongSwan
FGT (global) # diag hardware deviceinfo nic mgmt Description Intel(R) Gigabit Ethernet Network Driver Driver_Name igb Driver_Version 5.0.6 PCI_Vendor 8086 PCI_Device_ID 1533 PCI_Subsystem_Vendor ffff PCI_Revision_ID 0003 PCI_Bus 22 PCI_Slot 0 MAC_Type 6 PCI_Bus_Type PCI-E PCI_Bus_Speed 2.5Gb/s PCI_Bus_Width Width x1 IRQ 18 System_Device_Name mgmt Current_HWaddr e8:1c:ba:de:b2:aa Permanent_HWaddr e8:1c:ba:de:b2:aa Link up Speed 1000 Duplex full FlowControl current:0/requested:3 Interrupt mode MSI-X Rx queue(s) 1 Tx queue(s) 1
FGT (global) # fnsysctl ifconfig mgmt mgmt Link encap:Ethernet HWaddr E8:1C:BA:DE:B2:AA UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:10158137 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:5000 RX bytes:1557083299 (1.4 GB) TX bytes:90 (90 Bytes)
Hi, guys,
Sorry for my misleading.
I meant, after the HA-pair is formed, I can not see the individual mac address of the physical mgmt interface from outside, hence I can not pingtest to the individual primary/secondary Fortigate mgmt interface (=10.101.2.37, no mac address is seen from outside ); but I can pingtest to the HA-pair IP (= 10.101.1.38, the virtual mac address can be seen from outside).
Any advice.
That means you have set it up in a wrong way. Can you provide me the below show output from config global...
1. show sys interface mgmt
2. show sys ha
Probably you are missing "set dedicated-to management" on the interface & "set ha-direct enable" on the HA.
The problem is fixed.
How did you managed to fix?
Hi, Sekar,
Thanks for your information,
Please refer to the following article I posted:
Cheers
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.